In this week’s Cyber Weekly Digest we take a look at some of the biggest cyber security stories so far this year, including the latest incident affecting password manager LastPass and the 5.4 million Twitter user information leaked online. Keep reading to stay up to date on the latest cyber security news.
Password management service LastPass said it's investigating a second security incident that involved attackers accessing some of its customer information. LastPass CEO stated "We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,". The scope of the breach remains unknown as yet, and it's not clear if both LastPass and GoTo customers are impacted. However, users' passwords weren't compromised. The company said it has engaged with Mandiant and alerted law enforcement of the latest development.
Over 5.4 million Twitter user records containing private information, that stolen after attackers exploited an API Vulnerability fixed in January, have been shared for free on a hacker forum. Another massive, potentially significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors. The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public. Last July, a hacker began selling private information of 5.4 million Twitter users on a hacking forum for $30,000. While most of the data consisted of public information, such as Twitter IDs, names, login names, locations, and verified status, it also included private information, such as phone numbers and email addresses. Pompompurin, the owner of Breached Forums (Hacking forum) stated that on the weekend of the 26th of November, they were able to exploit the bug and create the massive dump of Twitter user records after another threat actor “Devil” shared the vulnerability with them.
A fake Android SMS application with over 100,000 downloads on the Google Play store, has been found to act as a secret SMS relay for account creation service for sites like Microsoft, Google, Instagram, Telegram, and Facebook. A researcher says the infected devices are then rented out as “virtual numbers” for relaying one-time passcodes used for verification in account creation. The app has a star rating of 3.4, yet reading the reviews shows an entirely different story, the most recent reviews consist of people complaining about their phones being hijacked and abused for OTP generations upon installations. The OTP requests are not just social media accounts, but banking and betting OTPs as well. The accounts that are generated using this app are compiled into app, that was recently taken down, called “Virtual number”. Users can then rent numbers for as little as $0.50 and in most cases use the number to verify accounts. It is still unconfirmed if the developers of the malicious app are behind the OTP stealers, so it is recommended you do not install these apps.
A previously unnamed ransomware has rebranded under the name ‘Trigona,’ launching a new Tor negotiation site where they accept Monero as ransom payments. Trigona has been active for some time, with samples seen at the beginning of the year. However, those samples utilized email for negotiations and were not branded under a specific name. Security researchers discovered that the ransomware operation started in late October 2022, when they created a Tor negotiation site and officially branded themselves as Trigona. According to researchers, there are numerous victims of the new ransomware operation, including, a real estate company and what seems to be a village in Germany. It is not currently known how much money the threat actors are demanding from victims, however, when the ransom is paid the victims will receive a link to a decryptor and a keys.dat file, which contains the private decryption key. The decryptor allows you to decrypt individual files or folders on the local device and network shares. It is not clear the direction that Trigona is going to take, but it is likely that it will continue to expand its operations.
Colombian healthcare provider Keralty reported a ransomware attack on Sunday, which affected its systems as well as two of its subsidiaries: EPS Sanitas and Colsanitas. Keralty said on Monday they were suffering technical issues but did not disclose the cause. On Tuesday, the company released an additional statement confirming the cyber-attack. The ransomware was suspected after a Twitter user posted a screenshot of the malware affecting Keralty's systems attributed to the threat group RansomHouse. The attack has affected the availability of services for patients, and the RansomHouse group has also claimed to have stolen 3TB of data.